WALLONN7 Posted February 3, 2017 Share Posted February 3, 2017 US-CERT confirms vulnerability in Windows SMB service Microsoft’s Windows operating system is once again impacted by a zero-day security flaw that allows attackers to crash systems with denial of service that would then open them to more possible attacks, including execution of arbitrary code. An advisory published earlier today reveals that the vulnerability resides in the SMB service, and the US CERT says that both Windows 8.1 and Windows 10 are exposed to attacks. There are reports claiming that Windows Server systems could also be affected, but there’s still no confirmation in this regard. Windows 8.1 and Windows 10 both affected The US security institute explains its security engineers have already managed to reproduce a successful denial of service attack on fully-patched Windows 10 and 8.1 computers, but running arbitrary code is an exploit that cannot be confirmed right now as working. “Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys,” the advisory reads. Exploit code that allows attackers to take advantage of this zero-day flaw has already been posted online, so users of the two aforementioned operating system are exposed until a patch is provided. While everyone’s waiting for Microsoft to step in and release an out-of-band patch to fix the security issues, the US CERT says that there’s no solution to make sure users are on the safe side, but instead provides a temporary fix that involves blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. We have reached out to Microsoft for a statement and more information on how users can be protected against exploits and will update the article when we receive an answer. In the meantime, turning to US CERT’s recommendations seem to be the only good option, especially given that exploit code is already available online and can be used by any attacker until a patch is provided. Source Link to comment Share on other sites More sharing options...
Karlston Posted February 3, 2017 Share Posted February 3, 2017 Computers running fully patched Windows 10, 8.1, Server 2012, and 2016 are hit by Blue Screens when trying to connect to an infected server Credit: Blair Hanley Frank Security experts warn that it may be possible to exploit a vulnerability in a protocol widely used to connect Windows clients and servers to inject and execute malicious code on Windows computers. Computers running fully patched Windows 10, 8.1, Server 2012, or 2016 that try to access an infected server will crash with a Blue Screen triggered in mrxsmb20.sys, according to a post by Günter Born on today's Born’s Tech and Windows World blog. The vulnerability takes advantage of a buffer overflow bug in Microsoft’s SMBv3 routines. SMBv3 is the latest version of the protocol used to connect Windows clients and servers for sharing files and printers. Proof of Concept code for the vulnerability was released on Github yesterday by @PythonResponder. There's been no response from Microsoft as yet. There are currently no reports of this particular security hole leading to a takeover of affected computers, but US-CERT Vulnerability Note VU#867968 raises the possibility that new exploit code for the vulnerability may be able to inject and execute malicious code on Windows computers. Johannes Ullrich posted a warning on the SANS Internet Storm Center, concluding “it isn’t clear if this is exploitable beyond a denial of service.” US-CERT advises: The CERT/CC is currently unaware of a practical solution to this problem... Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. Even more troubling, US-CERT gives this vulnerability a “Base” score of 10, their highest rating. Born advises that the effect is limited on small networks: For me, it seems that this is for companies with WANs. For small LANs I would classify the risk as low, because an attacker needs access to the network shares. Also in networks with WLAN access is WPA2 protected, so I can’t see how the exploit can be used. The discussion continues on the AskWoody Lounge. Source: Vulnerability in Microsoft SMBv3 protocol crashes Windows PCs (InfoWorld - Woody Leonhard) Link to comment Share on other sites More sharing options...
SPECTRUM Posted February 3, 2017 Share Posted February 3, 2017 already posted here: https://www.nsaneforums.com/topic/285843-zero-day-windows-security-flaw-could-crash-systems-cause-bsods/ Link to comment Share on other sites More sharing options...
Jordan Posted February 3, 2017 Share Posted February 3, 2017 Topics merged Link to comment Share on other sites More sharing options...
Israeli_Eagle Posted February 3, 2017 Share Posted February 3, 2017 And the best & stable OS is............... Link to comment Share on other sites More sharing options...
straycat19 Posted February 4, 2017 Share Posted February 4, 2017 I am willing to bet Microsoft choked on that release. Gee, hard to believe that Windows 10 has more vulnerabilities than Windows 7 but it is true and has been true since day one. The fix for Windows 10 is to downgrade to Windows 7. Link to comment Share on other sites More sharing options...
info999 Posted February 4, 2017 Share Posted February 4, 2017 why is it called zero-day ? zero-day bugs are bugs found in the first day of a product roll-out and windows 10 has been around for quite a while Link to comment Share on other sites More sharing options...
lordnsane Posted February 4, 2017 Share Posted February 4, 2017 7 hours ago, info999 said: why is it called zero-day ? zero-day bugs are bugs found in the first day of a product roll-out and windows 10 has been around for quite a while change your username to info1000 now as you are getting one more now. zero-days are simply bugs that weren't known before being publicly disclosed. Meaning many malicious entities could be exploiting/selling that bug in underground markets, but the first instance it's disclosed to public when there's no patch by the vendor, it's called the zero-day. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.